From owner-freebsd-questions@FreeBSD.ORG Thu Nov 25 16:26:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 393321065670 for ; Thu, 25 Nov 2010 16:26:35 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id C641D8FC25 for ; Thu, 25 Nov 2010 16:26:34 +0000 (UTC) Received: by wwd20 with SMTP id 20so1015308wwd.31 for ; Thu, 25 Nov 2010 08:26:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=LRjqoAqlHhf7M4sCASoFG4IuksVdH/iR/TTvcrNR0UE=; b=pjna2LgjSdPUQuGMLzzWsD02zP5ecrUma75tiVbu74lEMHOnF3ONlbbSXSJp16A4eN 7bxbMWXCTeV0RmwxE4iC5sC9LUbaFOlJkxYlx/Pbqtz/npNtw8NSton/3zVj98mxxNIZ Veh7BkZajCfmV4gWWu1UYACQDP2As80aC7SzU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=VsgDFxJi3b4M1M6bIoWPDOUEQDmaQnSl99q3M3vXAYZiJNG+OVd8KCzwHv/uWInOdr cskoXBOiffJ9fipVAS5ioPtdZIIV+R/EwzDwlhXiGz3PrmSu9NkAlCbKV2kn8Ul0p6Fx Pooh3C+ufIm+XORQ7IZADQObexKeYaRYSzv6c= MIME-Version: 1.0 Received: by 10.216.231.146 with SMTP id l18mr955560weq.52.1290702393238; Thu, 25 Nov 2010 08:26:33 -0800 (PST) Received: by 10.216.19.142 with HTTP; Thu, 25 Nov 2010 08:26:33 -0800 (PST) Date: Thu, 25 Nov 2010 11:26:33 -0500 Message-ID: From: bluethundr To: freebsd-questions Content-Type: text/plain; charset=ISO-8859-1 Subject: can't use godaddy SSL cert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2010 16:26:35 -0000 Hey list, I was having a similar SSL/openLDAP problem to this last week. I had a chance to look at this again today and it still appears to not be working. I called godaddy and had the last cert cancelled and reissued as I had mis-typed the name of the CN on the last one. I am trying to setup a Godaddy turbo SSL certificate with an openLDAP 2.4 server under FreeBSD 8.1. [root@LBSD2:/usr/home/bluethundr]#pkg_info | grep openldap openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation I have setup the certificate chain in my slapd.conf like so: [root@LBSD2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r----- 1 root ldap 4604 Nov 24 18:57 gd_bundle.crt -r--r----- 1 root ldap 1537 Nov 25 02:00 sf_issuing.crt and I get the same result for each when I attempt to connect to SSL on the LDAP server: [root@LCENT01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(00000003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldapsearch -h ldap.example.com -d -1 -ZZ "dc=example,dc=com" TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 0000: 15 03 01 00 02 02 30 ......0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It seems to indicate that it can't talk to it's CA... does anyone have any suggestions on how to make this work? thanks! -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys B6D6EAC3